• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
researchers bypass sms based multi factor authentication protecting box accounts

Researchers Bypass SMS-based Multi-Factor Authentication Protecting Box Accounts

You are here: Home / General Cyber Security News / Researchers Bypass SMS-based Multi-Factor Authentication Protecting Box Accounts
January 18, 2022

Cybersecurity researchers have disclosed facts of a now-patched bug in Box’s multi-factor authentication (MFA) system that could be abused to fully sidestep SMS-dependent login verification.

“Making use of this strategy, an attacker could use stolen credentials to compromise an organization’s Box account and exfiltrate delicate information with no accessibility to the victim’s phone,” Varonis researchers mentioned in a report shared with The Hacker News.

The cybersecurity firm explained it reported the issue to the cloud company provider on November 2, 2021, post which fixes were issued by Box.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper take secure and enxrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized seller: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Automatic GitHub Backups

MFA is an authentication approach that relies on a mix of components this kind of as a password (anything only the person knows) and a short-term one particular-time password aka TOTP (anything only the consumer has) to offer people a next layer of defense towards credential stuffing and other account takeover attacks.

This two-action authentication can both require sending the code as an SMS or alternatively, accessed through an authenticator application or a components security essential. Thus, when a Box person who is enrolled for SMS verification logs in with a valid username and password, the support sets a session cookie and redirects the consumer to a webpage exactly where the TOTP can be entered to acquire obtain to the account.

The bypass determined by Varonis is a consequence of what the researchers called a mixup of MFA modes. It occurs when an attacker indications in with the victim’s qualifications and abandons the SMS-based mostly authentication in favor of a unique procedure that utilizes, say, the authenticator app to effectively finish the login merely by furnishing the TOTP linked with their possess Box account.

“Box misses that the sufferer hasn’t enrolled [in] an authenticator application, and as an alternative blindly accepts a valid authentication passcode from a fully unique account without having to start with examining that it belonged to the person that was logging in,” the scientists reported. “This created it achievable to entry the victim’s Box account with out accessing their phone or notifying the consumer by way of SMS.”

Place differently, Box not only did not check irrespective of whether the target was enrolled in an authenticator app-primarily based verification (or any other technique barring SMS), it also did not validate that the code entered is from an authenticator application which is truly connected to the target who is attempting to log in.

Prevent Data Breaches

The findings occur a small over a month immediately after Varonis disclosed a very similar strategy that could empower malicious actors to get all over authenticator-centered verification by “unenroll[ing] a person from MFA right after providing a username and password but ahead of delivering the next factor.”

“The /mfa/unenrollment endpoint did not demand the consumer to be fully authenticated in order to eliminate a TOTP system from a user’s account,” the researchers famous in early December 2021.

“MFA is only as good as the developer producing the code [and] can deliver a untrue feeling of security,” the scientists concluded. “Just because MFA is enabled does not essentially imply an attacker need to get bodily obtain to a victim’s gadget to compromise their account.”

Discovered this posting appealing? Abide by THN on Facebook, Twitter  and LinkedIn to read additional distinctive articles we write-up.


Some parts of this article are sourced from:
thehackernews.com

Previous Post: «organizations face a ‘losing battle’ against vulnerabilities Organizations Face a ‘Losing Battle’ Against Vulnerabilities
Next Post: Joint Law Enforcement Action Takes Down VPN Service Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Sioux Falls Funds DSU Cybersecurity Lab
  • ‘CryptoRom’ Crypto-Scam is Back via Side-Loaded Apps
  • Irish Watchdog Fines Meta $19m Over Data Breach
  • Avast Merger Raises Competition Concerns
  • Linux botnet spreads using Log4Shell flaw
  • Another Destructive Wiper Targets Organizations in Ukraine
  • New “B1txor20” Linux Botnet Uses DNS Tunnel and Exploits Log4J Flaw
  • New Infinite Loop Bug in OpenSSL Could Let Attackers Crash Remote Servers
  • FBI, CISA Warn of Russian Hackers Exploiting MFA and PrintNightmare Bug
  • Unpatched RCE Bug in dompdf Project Affects HTML to PDF Converters

Copyright © TheCyberSecurity.News, All Rights Reserved.